Security vulnerabilities

  • Status Closed
  • Assigned To
    xlefloch
  • Private
Attached to Project: Security vulnerabilities
Opened by monty099 - 03.02.2026
Last edited by xlefloch - 12.02.2026

FS#294 - Title: Persistent Owner Access Leads to Mailing Takeover After Domain Transfer

Description

There is a flaw in permission management within Alwaysdata’s Mailing system that allows the Owner role to remain associated with an old user identity even after the email address is modified, the user is deleted, and the domain is transferred to another account. This results in an attacker being able to retain full control over a Mailing instance linked to a domain that is now owned by the victim.

Steps to Reproduce

1. The attacker creates an Alwaysdata account (Account A).

2. Creates a Domain within the account and then creates a Mailing associated with this domain.

3. Creates an email user such as: a@example.com.

4. From the Mailing settings, grants the user a@example.com the Owner role.

5. From user management, modifies the email from a@example.com to b@example.com by intercepting the request (Burp) and sending the modified request.

6. After the modification succeeds, deletes the user b@example.com.

7. Transfers the domain to the victim’s account (Account B).

8. The victim receives the domain with an existing Mailing.

9. The attacker is able to access the Mailing management interface using the old identity a@example.com and still has the Owner role.

POC: https://admin.alwaysdata.com/support/91899/

Impact

Full control of a Mailing that belongs to a domain the attacker does not own.

Full unauthorized access.

Compromise of the victim’s data confidentiality and integrity.

Suggested Fix

Add additional validation to prevent any Owners from existing outside the current domain owner’s account.

Closed by  xlefloch
12.02.2026 17:25
Reason for closing:  Fixed

Hi team,

Any update?

Thank you,

Admin

Hello,

I will review your report and get back to you.

Regards,

Admin

A patch has been released. Can you confirm that this fixes the problem?

Hi,

I confirm that the issue has been resolved

Thank you,

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing